Logout when Browser is closed

I have a hard criteria that the application needs to logout the user when the browser is closed. It’s in a setting where PCs are used by multiple users and they close the browser when they are finished. The problem is when the next person opens the browser it is still logged in with the previous user.

I realized the login via spring security and it seems this survives even the end of the VaadinSession.
Anyone any ideas how to implement this?

I think you look for the lifetime of a UI session.
https://vaadin.com/forum/thread/17748771/when-an-ui-instance-is-created-in-vaadin-flow
and
https://vaadin.com/docs/latest/advanced/application-lifecycle#application.lifecycle.ui

I’m afraid to set the session timeout to something like 10s and the heartbeat to like 3s. I found out that “Remember Me” was active which caused to login to survice past the session desctruction.

My current idea is to track the sessions and regulary check which sessions have no UIs and than close them.

I think in v24 there has been some improvement, to detect closed UI’s faster and free memory more eagerly on server side.
Server push helps in this context too, since it detects when the push to the client no longer works

yes because of the Beacon API the UI is now closed instantly, otherwise this wouldn’t work

interestingly when I call VaadinSession.close() the destroyListeners aren’t called. They are called when the session expires.

I solved it. If someone encounters the same problem in the future the solution is to track the Creation and Destruction of Sessions using a VaadinServiceInitListener. Than regulary check all sessions if they have UIs. If not, get the wrapped session and remove HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY from the attributes. This causes spring security to lose it’s information and redirect to the login when an additional UI is opened while the session is still alive. The actual code is to large to be shared here